Alert essentials:
A SQL Injection vulnerability allows the elevation of privileges and unauthorized access to MOVEit databases. Researchers are seeing mass exploitation of the vulnerability, resulting in extorsion, data theft, and victim sharing. Patches and mitigations are available.

Update:
Multiple SQL injection vulnerabilities have been found, update using the new June 9th patch.

Email Team

Detailed threat description:
Fortified Health Security VTM clients can search for these vulnerabilities using Nessus Professional Plugin ID 176567 in the dashboard:

  • A SQL Injection has been discovered in the Progress MOVEit Transfer application.
  • The flaw could allow an unauthenticated attacker to gain unauthorized access to MOVEit databases.
  • A backdoor uploaded during the attack, human2.asp allows hackers to download any file within
  • MOVEit and gain active sessions that allow a credential bypass.
  • Patches are available for all supported MOVEit Transfer versions.
  • Mitigations are also available and include:
    • Delete any instances of the human2.aspx and .cmdline script files
    • Disabling all HTTP/HTTPS traffic to the MOVEit Transfer environment
    • Delete any unauthorized files and accounts
    • Reset service account credentials for affected systems and the MOVEit service account

Update:

  • June 9th, 2023
    • To investigate the MOVEit vulnerabilities in more detail, Progress hired a third-party expert to review data and conduct further code reviews. Through this review, multiple SQL injection vulnerabilities have been identified, and an even newer patch has been released.

Impact on healthcare organizations
Secure, efficient movement of files in a healthcare organization accelerates the delivery of patient care. However, file transfer applications greatly increase an attack surface in a network. Vulnerabilities in these applications can have varied effects, up to the loss of the entire network. Removing accessibility to technology can have devastating impacts on patient diagnosis and treatment.

Affected products / versions

  • In Progress MOVEit Transfer Versions before:
    • (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1)
    • Update:
      • All versions of MOVEit Transfer are affected by the newly discovered vulnerabilities. MOVEit Cloud has been found affected; however, the cloud shows fully patched at this time.
  • Unaffected Products are:
    • MOVEit Automation, MOVEit Client, MOVEit Add-in for Microsoft Outlook, MOVEit Mobile, WS_FTP Client, WS_FTP Server, MOVEit EZ, MOVEit Gateway, MOVEit Analytics, and MOVEit Freely.
    • Currently, no action is necessary for the above-mentioned products.
  • CVE subsection (if applicable)
    • CVE-2023-34362
    • CVE-2023-35036

Recommendations

Engineering recommendations:

  • APPLY THE LATEST PATCH RELEASE – from June 9th, 2023
  • Remove network connectivity from the MOVEit environment
  • Look for any new MOVEit transfer files created in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline.
  • Likewise, look for any new files created in the C:\MOVEitTransfer\wwwroot\ directory.
  • Apply patches or mitigations to MOVEit environments.
  • Examine the c:\MOVEitTransfer\wwwroot folder for any suspicious files created recently, such as human2.aspx or App_Web_[RANDOM].dll files with the same or similar timestamps.
  • Retain a copy of all IIS logs and network data volume logs.

Leadership / program recommendations:

  • Direct teams to search for indicators of unauthorized access over at least the last 30 days.
  • Request logs be reviewed for any unexpected downloads of files from any unknown IPs or any large amount of files that have been downloaded.

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

 

References: